Simple server installation done
parent
cab2d08327
commit
aa317319ea
|
@ -0,0 +1 @@
|
||||||
|
.venv/*
|
37
README.md
37
README.md
|
@ -0,0 +1,37 @@
|
||||||
|
# Wireguard automated install with vagrant and asnible provision
|
||||||
|
|
||||||
|
|
||||||
|
## Dependencies:
|
||||||
|
System:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# apt install python3 python3-pip python3-venv
|
||||||
|
```
|
||||||
|
|
||||||
|
Python:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
python3 -m venv .venv
|
||||||
|
source ./.venv/bin/activate
|
||||||
|
pip install -r requirements.txt
|
||||||
|
```
|
||||||
|
Ansible:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ansible-galaxy install -r requirements.yml
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Start
|
||||||
|
```bash
|
||||||
|
./virsh_network/start.sh
|
||||||
|
cd vg && vagrant up --provider=libvirt --no-parallel
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Destroy the environment
|
||||||
|
```bash
|
||||||
|
vagrant destroy
|
||||||
|
./virsh_network/destroy.sh
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
ansible==7.3.0
|
|
@ -0,0 +1,4 @@
|
||||||
|
# ansible-galaxy collection list
|
||||||
|
collections:
|
||||||
|
- name: community.general
|
||||||
|
version: '5.6.0'
|
|
@ -0,0 +1 @@
|
||||||
|
.vagrant/*
|
|
@ -0,0 +1,46 @@
|
||||||
|
# -*- mode: ruby -*-
|
||||||
|
# vi: set ft=ruby :
|
||||||
|
|
||||||
|
Vagrant.configure("2") do |config|
|
||||||
|
config.vm.box = "generic/ubuntu2004"
|
||||||
|
|
||||||
|
config.vm.provider :libvirt do |libvirt|
|
||||||
|
libvirt.qemu_use_session = false
|
||||||
|
end
|
||||||
|
|
||||||
|
config.vm.define "kp-root-node" do |rootNode|
|
||||||
|
rootNode.vm.hostname = "kp-root-node"
|
||||||
|
rootNode.vm.network :private_network, ip: "192.168.123.10", :libvirt_network_mage => "kp_wg_network"
|
||||||
|
rootNode.vm.provider :kvm do | kvm, override |
|
||||||
|
kvm.memory_size = '2048m'
|
||||||
|
end
|
||||||
|
rootNode.vm.provider :libvirt do |libvirt, override|
|
||||||
|
libvirt.memory = 2048
|
||||||
|
libvirt.nested = true
|
||||||
|
libvirt.cpus = 2
|
||||||
|
end
|
||||||
|
|
||||||
|
# Ansible provisioning
|
||||||
|
rootNode.vm.provision "server_init", type:'ansible' do |ansible|
|
||||||
|
ansible.playbook = "playbooks/server_init.yml"
|
||||||
|
ansible.become = true
|
||||||
|
ansible.host_key_checking = false
|
||||||
|
ansible.verbose = "v"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
(1..3).each do |i|
|
||||||
|
config.vm.define "kp-client#{i}" do |client|
|
||||||
|
client.vm.hostname = "kp-client#{i}"
|
||||||
|
client.vm.network :private_network, ip: "192.168.123.1#{i}", :libvirt_network_mage => "kp_wg_network"
|
||||||
|
client.vm.provider :kvm do | kvm, override |
|
||||||
|
kvm.memory_size = '2048m'
|
||||||
|
end
|
||||||
|
client.vm.provider :libvirt do |libvirt, override|
|
||||||
|
libvirt.memory = 1024
|
||||||
|
libvirt.nested = true
|
||||||
|
libvirt.cpus = 1
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,83 @@
|
||||||
|
---
|
||||||
|
- hosts: all
|
||||||
|
become: yes
|
||||||
|
tasks:
|
||||||
|
- name: Install wireguard and ufw
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name:
|
||||||
|
- wireguard
|
||||||
|
- ufw
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Generate a wireguard server privatekey
|
||||||
|
ansible.builtin.shell: "wg genkey > /etc/wireguard/private.key"
|
||||||
|
|
||||||
|
- name: Read privatekey from the wireguard folder
|
||||||
|
ansible.builtin.shell: "cat /etc/wireguard/private.key"
|
||||||
|
register: server_private_key_stdout
|
||||||
|
|
||||||
|
- name: Set the file content to a variable
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
server_private_key: "{{ server_private_key_stdout.stdout }}"
|
||||||
|
|
||||||
|
- name: Get the default public interface
|
||||||
|
ansible.builtin.shell: "ip route list | grep default | awk '{print $5}'"
|
||||||
|
register: server_public_interface_stdout
|
||||||
|
|
||||||
|
- name: Set the stdout of the public interface to a variable
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
server_public_interface: "{{ server_public_interface_stdout.stdout }}"
|
||||||
|
|
||||||
|
- name: Protect the privatekey by allowing only the root user to read
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "/etc/wireguard/private.key"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '077'
|
||||||
|
|
||||||
|
- name: Generate a wireguard server pubkey
|
||||||
|
ansible.builtin.shell: "cat /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key"
|
||||||
|
|
||||||
|
- name: Protect the privatekey by allowing only the root user to read
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "/etc/wireguard/public.key"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: Install the server wireguard template to the server
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "server_wg0.conf"
|
||||||
|
dest: "/etc/wireguard/wg0.conf"
|
||||||
|
|
||||||
|
- name: Ensure that the permissions to the config are not too open
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "/etc/wireguard/wg0.conf"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: '077'
|
||||||
|
|
||||||
|
- name: Allow everything and enable UFW
|
||||||
|
community.general.ufw:
|
||||||
|
state: enabled
|
||||||
|
policy: allow
|
||||||
|
|
||||||
|
- name: Set logging for the ufw
|
||||||
|
community.general.ufw:
|
||||||
|
logging: 'on'
|
||||||
|
|
||||||
|
- name: Allow all access to port 22
|
||||||
|
community.general.ufw:
|
||||||
|
rule: allow
|
||||||
|
port: '22'
|
||||||
|
|
||||||
|
- name: Allow all access to wireguard port (udp)
|
||||||
|
community.general.ufw:
|
||||||
|
rule: allow
|
||||||
|
port: '51820'
|
||||||
|
proto: udp
|
||||||
|
|
||||||
|
- name: Start the wireguard service
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: wg-quick@wg0.service
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
|
@ -0,0 +1,10 @@
|
||||||
|
[Interface]
|
||||||
|
PrivateKey = {{ server_private_key }}
|
||||||
|
Address = 10.6.0.1/24
|
||||||
|
ListenPort = 51820
|
||||||
|
SaveConfig = true
|
||||||
|
|
||||||
|
PostUp = ufw route allow in on wg0 out on {{ server_public_interface }}
|
||||||
|
PostUp = iptables -t nat -I POSTROUTING -o {{ server_public_interface }} -j MASQUERADE
|
||||||
|
PreDown = ufw route delete allow in on wg0 out on {{ server_public_interface }}
|
||||||
|
PreDown = iptables -t nat -D POSTROUTING -o {{ server_public_interface }} -j MASQUERADE
|
|
@ -0,0 +1,8 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -eux
|
||||||
|
|
||||||
|
NETWORK_NAME="kp_wg_network"
|
||||||
|
|
||||||
|
sudo virsh net-destroy $NETWORK_NAME
|
||||||
|
sudo virsh net-undefine $NETWORK_NAME
|
|
@ -0,0 +1,14 @@
|
||||||
|
<network>
|
||||||
|
<name>kp_wg_network</name>
|
||||||
|
<forward mode="nat">
|
||||||
|
<nat>
|
||||||
|
<port start='1024' end='65535'/>
|
||||||
|
</nat>
|
||||||
|
</forward>
|
||||||
|
<bridge name="kp_wg_network" stp='on' delay='0'/>
|
||||||
|
<ip address="192.168.123.1" netmask="255.255.255.0">
|
||||||
|
<dhcp>
|
||||||
|
<range start="192.168.123.2" end="192.168.123.254"/>
|
||||||
|
</dhcp>
|
||||||
|
</ip>
|
||||||
|
</network>
|
|
@ -0,0 +1,11 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -eux
|
||||||
|
|
||||||
|
NETWORK_NAME="kp_wg_network"
|
||||||
|
|
||||||
|
sudo virsh net-define "${NETWORK_NAME}.xml"
|
||||||
|
sudo virsh net-start $NETWORK_NAME
|
||||||
|
sudo virsh net-autostart $NETWORK_NAME
|
||||||
|
|
||||||
|
sudo virsh net-list --all
|
Loading…
Reference in New Issue